Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix remote code execution and privilege escalation vulnerability.
To trigger this, need to have a user already.

Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.

CVE-2019-12816
  • Loading branch information
DarthGandalf committed Jun 15, 2019
1 parent 3bced9a commit 8de9e37
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 9 deletions.
1 change: 1 addition & 0 deletions include/znc/Modules.h
Expand Up @@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin {
private:
static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
CModInfo& Info, CString& sRetMsg);
static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);

protected:
CUser* m_pUser;
Expand Down
38 changes: 29 additions & 9 deletions src/Modules.cpp
Expand Up @@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const {
return nullptr;
}

bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
for (unsigned int a = 0; a < sModule.length(); a++) {
if (((sModule[a] < '0') || (sModule[a] > '9')) &&
((sModule[a] < 'a') || (sModule[a] > 'z')) &&
((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
sRetMsg =
t_f("Module names can only contain letters, numbers and "
"underscores, [{1}] is invalid")(sModule);
return false;
}
}

return true;
}

bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
CModInfo::EModuleType eType, CUser* pUser,
CIRCNetwork* pNetwork, CString& sRetMsg) {
sRetMsg = "";

if (!ValidateModuleName(sModule, sRetMsg)) {
return false;
}

if (FindModule(sModule) != nullptr) {
sRetMsg = t_f("Module {1} already loaded.")(sModule);
return false;
Expand Down Expand Up @@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs,

bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
CString& sRetMsg) {
if (!ValidateModuleName(sModule, sRetMsg)) {
return false;
}

CString sModPath, sTmp;

bool bSuccess;
Expand All @@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,

bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
const CString& sModPath, CString& sRetMsg) {
if (!ValidateModuleName(sModule, sRetMsg)) {
return false;
}

ModInfo.SetName(sModule);
ModInfo.SetPath(sModPath);

Expand Down Expand Up @@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath,
// Some sane defaults in case anything errors out below
sRetMsg.clear();

for (unsigned int a = 0; a < sModule.length(); a++) {
if (((sModule[a] < '0') || (sModule[a] > '9')) &&
((sModule[a] < 'a') || (sModule[a] > 'z')) &&
((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
sRetMsg =
t_f("Module names can only contain letters, numbers and "
"underscores, [{1}] is invalid")(sModule);
return nullptr;
}
if (!ValidateModuleName(sModule, sRetMsg)) {
return nullptr;
}

// The second argument to dlopen() has a long history. It seems clear
Expand Down

0 comments on commit 8de9e37

Please sign in to comment.